config: switch is_ro to rw
This commit is contained in:
parent
b5b47938d9
commit
a2bbe667b9
2
config.c
2
config.c
@ -180,7 +180,7 @@ static bool configParseInternal(struct nsjconf_t *nsjconf, Nsjail__NsJailConfig
|
|||||||
const char *fstype = njc->mount[i]->fstype;
|
const char *fstype = njc->mount[i]->fstype;
|
||||||
const char *options = njc->mount[i]->options;
|
const char *options = njc->mount[i]->options;
|
||||||
|
|
||||||
uintptr_t flags = njc->mount[i]->is_ro ? MS_RDONLY : 0;
|
uintptr_t flags = (njc->mount[i]->rw == false) ? MS_RDONLY : 0;
|
||||||
flags |= njc->mount[i]->is_bind ? (MS_BIND | MS_REC) : 0;
|
flags |= njc->mount[i]->is_bind ? (MS_BIND | MS_REC) : 0;
|
||||||
bool mandatory = njc->mount[i]->mandatory;
|
bool mandatory = njc->mount[i]->mandatory;
|
||||||
|
|
||||||
|
2446
config.pb-c.c
2446
config.pb-c.c
File diff suppressed because it is too large
Load Diff
762
config.pb-c.h
762
config.pb-c.h
@ -7,73 +7,80 @@
|
|||||||
#include <protobuf-c/protobuf-c.h>
|
#include <protobuf-c/protobuf-c.h>
|
||||||
|
|
||||||
PROTOBUF_C__BEGIN_DECLS
|
PROTOBUF_C__BEGIN_DECLS
|
||||||
|
|
||||||
#if PROTOBUF_C_VERSION_NUMBER < 1000000
|
#if PROTOBUF_C_VERSION_NUMBER < 1000000
|
||||||
#error This file was generated by a newer version of protoc-c which is incompatible with your libprotobuf-c headers. Please update your headers.
|
# error This file was generated by a newer version of protoc-c which is incompatible with your libprotobuf-c headers. Please update your headers.
|
||||||
#elif 1002001 < PROTOBUF_C_MIN_COMPILER_VERSION
|
#elif 1002001 < PROTOBUF_C_MIN_COMPILER_VERSION
|
||||||
#error This file was generated by an older version of protoc-c which is incompatible with your libprotobuf-c headers. Please regenerate this file with a newer version of protoc-c.
|
# error This file was generated by an older version of protoc-c which is incompatible with your libprotobuf-c headers. Please regenerate this file with a newer version of protoc-c.
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
typedef struct _Nsjail__IdMap Nsjail__IdMap;
|
typedef struct _Nsjail__IdMap Nsjail__IdMap;
|
||||||
typedef struct _Nsjail__MountPt Nsjail__MountPt;
|
typedef struct _Nsjail__MountPt Nsjail__MountPt;
|
||||||
typedef struct _Nsjail__Exe Nsjail__Exe;
|
typedef struct _Nsjail__Exe Nsjail__Exe;
|
||||||
typedef struct _Nsjail__NsJailConfig Nsjail__NsJailConfig;
|
typedef struct _Nsjail__NsJailConfig Nsjail__NsJailConfig;
|
||||||
|
|
||||||
|
|
||||||
/* --- enums --- */
|
/* --- enums --- */
|
||||||
|
|
||||||
typedef enum _Nsjail__Mode {
|
typedef enum _Nsjail__Mode {
|
||||||
/*
|
/*
|
||||||
* Listening on a TCP port
|
* Listening on a TCP port
|
||||||
*/
|
*/
|
||||||
NSJAIL__MODE__LISTEN = 0,
|
NSJAIL__MODE__LISTEN = 0,
|
||||||
/*
|
/*
|
||||||
* Running the command once only
|
* Running the command once only
|
||||||
*/
|
*/
|
||||||
NSJAIL__MODE__ONCE = 1,
|
NSJAIL__MODE__ONCE = 1,
|
||||||
/*
|
/*
|
||||||
* Re-executing the command (forever)
|
* Re-executing the command (forever)
|
||||||
*/
|
*/
|
||||||
NSJAIL__MODE__RERUN = 2,
|
NSJAIL__MODE__RERUN = 2,
|
||||||
/*
|
/*
|
||||||
* Executing command w/o the supervisor
|
* Executing command w/o the supervisor
|
||||||
*/
|
*/
|
||||||
NSJAIL__MODE__EXECVE = 3 PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(NSJAIL__MODE)
|
NSJAIL__MODE__EXECVE = 3
|
||||||
|
PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(NSJAIL__MODE)
|
||||||
} Nsjail__Mode;
|
} Nsjail__Mode;
|
||||||
/*
|
/*
|
||||||
* Should be self explanatory
|
* Should be self explanatory
|
||||||
*/
|
*/
|
||||||
typedef enum _Nsjail__LogLevel {
|
typedef enum _Nsjail__LogLevel {
|
||||||
/*
|
/*
|
||||||
* Equivalent to the '-v' cmd-line option
|
* Equivalent to the '-v' cmd-line option
|
||||||
*/
|
*/
|
||||||
NSJAIL__LOG_LEVEL__DEBUG = 0,
|
NSJAIL__LOG_LEVEL__DEBUG = 0,
|
||||||
/*
|
/*
|
||||||
* Default level
|
* Default level
|
||||||
*/
|
*/
|
||||||
NSJAIL__LOG_LEVEL__INFO = 1,
|
NSJAIL__LOG_LEVEL__INFO = 1,
|
||||||
/*
|
/*
|
||||||
* Equivalent to the '-q' cmd-line option
|
* Equivalent to the '-q' cmd-line option
|
||||||
*/
|
*/
|
||||||
NSJAIL__LOG_LEVEL__WARNING = 2,
|
NSJAIL__LOG_LEVEL__WARNING = 2,
|
||||||
NSJAIL__LOG_LEVEL__ERROR = 3,
|
NSJAIL__LOG_LEVEL__ERROR = 3,
|
||||||
NSJAIL__LOG_LEVEL__FATAL = 4 PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(NSJAIL__LOG_LEVEL)
|
NSJAIL__LOG_LEVEL__FATAL = 4
|
||||||
|
PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(NSJAIL__LOG_LEVEL)
|
||||||
} Nsjail__LogLevel;
|
} Nsjail__LogLevel;
|
||||||
|
|
||||||
/* --- messages --- */
|
/* --- messages --- */
|
||||||
|
|
||||||
struct _Nsjail__IdMap {
|
struct _Nsjail__IdMap
|
||||||
ProtobufCMessage base;
|
{
|
||||||
/*
|
ProtobufCMessage base;
|
||||||
* Empty string means "current uid/gid"
|
/*
|
||||||
*/
|
* Empty string means "current uid/gid"
|
||||||
char *inside_id;
|
*/
|
||||||
char *outside_id;
|
char *inside_id;
|
||||||
/*
|
char *outside_id;
|
||||||
* See 'man user_namespaces' for the meaning of count
|
/*
|
||||||
*/
|
* See 'man user_namespaces' for the meaning of count
|
||||||
uint32_t count;
|
*/
|
||||||
/*
|
uint32_t count;
|
||||||
* Does this map use /usr/bin/new[u|g]idmap binary?
|
/*
|
||||||
*/
|
* Does this map use /usr/bin/new[u|g]idmap binary?
|
||||||
protobuf_c_boolean use_newidmap;
|
*/
|
||||||
|
protobuf_c_boolean use_newidmap;
|
||||||
};
|
};
|
||||||
extern char nsjail__id_map__inside_id__default_value[];
|
extern char nsjail__id_map__inside_id__default_value[];
|
||||||
extern char nsjail__id_map__outside_id__default_value[];
|
extern char nsjail__id_map__outside_id__default_value[];
|
||||||
@ -81,50 +88,52 @@ extern char nsjail__id_map__outside_id__default_value[];
|
|||||||
{ PROTOBUF_C_MESSAGE_INIT (&nsjail__id_map__descriptor) \
|
{ PROTOBUF_C_MESSAGE_INIT (&nsjail__id_map__descriptor) \
|
||||||
, nsjail__id_map__inside_id__default_value, nsjail__id_map__outside_id__default_value, 1u, 0 }
|
, nsjail__id_map__inside_id__default_value, nsjail__id_map__outside_id__default_value, 1u, 0 }
|
||||||
|
|
||||||
struct _Nsjail__MountPt {
|
|
||||||
ProtobufCMessage base;
|
struct _Nsjail__MountPt
|
||||||
/*
|
{
|
||||||
* Can be skipped for filesystems like 'proc'
|
ProtobufCMessage base;
|
||||||
*/
|
/*
|
||||||
char *src;
|
* Can be skipped for filesystems like 'proc'
|
||||||
/*
|
*/
|
||||||
* Should 'src' path be prefixed with this envvar?
|
char *src;
|
||||||
*/
|
/*
|
||||||
char *prefix_src_env;
|
* Should 'src' path be prefixed with this envvar?
|
||||||
/*
|
*/
|
||||||
* Mount point inside jail
|
char *prefix_src_env;
|
||||||
*/
|
/*
|
||||||
char *dst;
|
* Mount point inside jail
|
||||||
/*
|
*/
|
||||||
* Should 'dst' path be prefixed with this envvar?
|
char *dst;
|
||||||
*/
|
/*
|
||||||
char *prefix_dst_env;
|
* Should 'dst' path be prefixed with this envvar?
|
||||||
/*
|
*/
|
||||||
* Can be empty for mount --bind mounts
|
char *prefix_dst_env;
|
||||||
*/
|
/*
|
||||||
char *fstype;
|
* Can be empty for mount --bind mounts
|
||||||
/*
|
*/
|
||||||
* E.g. size=5000000 for 'tmpfs'
|
char *fstype;
|
||||||
*/
|
/*
|
||||||
char *options;
|
* E.g. size=5000000 for 'tmpfs'
|
||||||
/*
|
*/
|
||||||
* Is it 'mount --bind src dst' type of mount
|
char *options;
|
||||||
*/
|
/*
|
||||||
protobuf_c_boolean is_bind;
|
* Is it 'mount --bind src dst' type of mount
|
||||||
/*
|
*/
|
||||||
* It it RO mount
|
protobuf_c_boolean is_bind;
|
||||||
*/
|
/*
|
||||||
protobuf_c_boolean is_ro;
|
* It it R/W mount
|
||||||
/*
|
*/
|
||||||
* Is it directory? If not specified an internal
|
protobuf_c_boolean rw;
|
||||||
*heuristics will be used to determine that
|
/*
|
||||||
*/
|
* Is it directory? If not specified an internal
|
||||||
protobuf_c_boolean has_is_dir;
|
*heuristics will be used to determine that
|
||||||
protobuf_c_boolean is_dir;
|
*/
|
||||||
/*
|
protobuf_c_boolean has_is_dir;
|
||||||
* Should the sandboxing fail if we cannot mount this resource?
|
protobuf_c_boolean is_dir;
|
||||||
*/
|
/*
|
||||||
protobuf_c_boolean mandatory;
|
* Should the sandboxing fail if we cannot mount this resource?
|
||||||
|
*/
|
||||||
|
protobuf_c_boolean mandatory;
|
||||||
};
|
};
|
||||||
extern char nsjail__mount_pt__fstype__default_value[];
|
extern char nsjail__mount_pt__fstype__default_value[];
|
||||||
extern char nsjail__mount_pt__options__default_value[];
|
extern char nsjail__mount_pt__options__default_value[];
|
||||||
@ -132,234 +141,238 @@ extern char nsjail__mount_pt__options__default_value[];
|
|||||||
{ PROTOBUF_C_MESSAGE_INIT (&nsjail__mount_pt__descriptor) \
|
{ PROTOBUF_C_MESSAGE_INIT (&nsjail__mount_pt__descriptor) \
|
||||||
, NULL, NULL, NULL, NULL, nsjail__mount_pt__fstype__default_value, nsjail__mount_pt__options__default_value, 0, 0, 0,0, 1 }
|
, NULL, NULL, NULL, NULL, nsjail__mount_pt__fstype__default_value, nsjail__mount_pt__options__default_value, 0, 0, 0,0, 1 }
|
||||||
|
|
||||||
struct _Nsjail__Exe {
|
|
||||||
ProtobufCMessage base;
|
struct _Nsjail__Exe
|
||||||
/*
|
{
|
||||||
* Will be used both as execv's path and as argv[0]
|
ProtobufCMessage base;
|
||||||
*/
|
/*
|
||||||
char *path;
|
* Will be used both as execv's path and as argv[0]
|
||||||
/*
|
*/
|
||||||
* This will be argv[1] and so on..
|
char *path;
|
||||||
*/
|
/*
|
||||||
size_t n_arg;
|
* This will be argv[1] and so on..
|
||||||
char **arg;
|
*/
|
||||||
|
size_t n_arg;
|
||||||
|
char **arg;
|
||||||
};
|
};
|
||||||
#define NSJAIL__EXE__INIT \
|
#define NSJAIL__EXE__INIT \
|
||||||
{ PROTOBUF_C_MESSAGE_INIT (&nsjail__exe__descriptor) \
|
{ PROTOBUF_C_MESSAGE_INIT (&nsjail__exe__descriptor) \
|
||||||
, NULL, 0,NULL }
|
, NULL, 0,NULL }
|
||||||
|
|
||||||
struct _Nsjail__NsJailConfig {
|
|
||||||
ProtobufCMessage base;
|
struct _Nsjail__NsJailConfig
|
||||||
/*
|
{
|
||||||
* Optional name and description for this config
|
ProtobufCMessage base;
|
||||||
*/
|
/*
|
||||||
char *name;
|
* Optional name and description for this config
|
||||||
char *description;
|
*/
|
||||||
/*
|
char *name;
|
||||||
* Execution mode: see 'msg Mode' description for more
|
char *description;
|
||||||
*/
|
/*
|
||||||
Nsjail__Mode mode;
|
* Execution mode: see 'msg Mode' description for more
|
||||||
/*
|
*/
|
||||||
* Equivalent to a bind mount with dst='/'
|
Nsjail__Mode mode;
|
||||||
*/
|
/*
|
||||||
char *chroot_dir;
|
* Equivalent to a bind mount with dst='/'
|
||||||
/*
|
*/
|
||||||
* Applies both to the chroot_dir and to /proc mounts
|
char *chroot_dir;
|
||||||
*/
|
/*
|
||||||
protobuf_c_boolean is_root_rw;
|
* Applies both to the chroot_dir and to /proc mounts
|
||||||
/*
|
*/
|
||||||
* Hostname inside jail
|
protobuf_c_boolean is_root_rw;
|
||||||
*/
|
/*
|
||||||
char *hostname;
|
* Hostname inside jail
|
||||||
/*
|
*/
|
||||||
* Initial current working directory for the binary
|
char *hostname;
|
||||||
*/
|
/*
|
||||||
char *cwd;
|
* Initial current working directory for the binary
|
||||||
/*
|
*/
|
||||||
* TCP port to listen to. Valid with mode=LISTEN only
|
char *cwd;
|
||||||
*/
|
/*
|
||||||
uint32_t port;
|
* TCP port to listen to. Valid with mode=LISTEN only
|
||||||
/*
|
*/
|
||||||
* Host to bind to for mode=LISTEN. Must be in IPv6 format
|
uint32_t port;
|
||||||
*/
|
/*
|
||||||
char *bindhost;
|
* Host to bind to for mode=LISTEN. Must be in IPv6 format
|
||||||
/*
|
*/
|
||||||
* For mode=LISTEN, maximum number of connections from a single IP
|
char *bindhost;
|
||||||
*/
|
/*
|
||||||
uint32_t max_conns_per_ip;
|
* For mode=LISTEN, maximum number of connections from a single IP
|
||||||
/*
|
*/
|
||||||
* Wall-time time limit for commands
|
uint32_t max_conns_per_ip;
|
||||||
*/
|
/*
|
||||||
uint32_t time_limit;
|
* Wall-time time limit for commands
|
||||||
/*
|
*/
|
||||||
* Should nsjail go into background?
|
uint32_t time_limit;
|
||||||
*/
|
/*
|
||||||
protobuf_c_boolean daemon;
|
* Should nsjail go into background?
|
||||||
/*
|
*/
|
||||||
* File to save lofs to
|
protobuf_c_boolean daemon;
|
||||||
*/
|
/*
|
||||||
char *log_file;
|
* File to save lofs to
|
||||||
/*
|
*/
|
||||||
* Minimum log level displayed.
|
char *log_file;
|
||||||
*See 'msg LogLevel' description for more
|
/*
|
||||||
*/
|
* Minimum log level displayed.
|
||||||
protobuf_c_boolean has_log_level;
|
*See 'msg LogLevel' description for more
|
||||||
Nsjail__LogLevel log_level;
|
*/
|
||||||
/*
|
protobuf_c_boolean has_log_level;
|
||||||
* Should the current environment variables be kept
|
Nsjail__LogLevel log_level;
|
||||||
*when executing the binary
|
/*
|
||||||
*/
|
* Should the current environment variables be kept
|
||||||
protobuf_c_boolean keep_env;
|
*when executing the binary
|
||||||
/*
|
*/
|
||||||
* EnvVars to be set before executing binaries
|
protobuf_c_boolean keep_env;
|
||||||
*/
|
/*
|
||||||
size_t n_envar;
|
* EnvVars to be set before executing binaries
|
||||||
char **envar;
|
*/
|
||||||
/*
|
size_t n_envar;
|
||||||
* Should nsjail close FD=0,1,2 before executing the process
|
char **envar;
|
||||||
*/
|
/*
|
||||||
protobuf_c_boolean silent;
|
* Should nsjail close FD=0,1,2 before executing the process
|
||||||
/*
|
*/
|
||||||
* Should the child process have control over terminal?
|
protobuf_c_boolean silent;
|
||||||
*Can be useful to allow /bin/sh to provide
|
/*
|
||||||
*job control / signals
|
* Should the child process have control over terminal?
|
||||||
*/
|
*Can be useful to allow /bin/sh to provide
|
||||||
protobuf_c_boolean skip_setsid;
|
*job control / signals
|
||||||
/*
|
*/
|
||||||
* Which FDs should be passed to the newly executed process
|
protobuf_c_boolean skip_setsid;
|
||||||
*By default only FD=0,1,2 are passed
|
/*
|
||||||
*/
|
* Which FDs should be passed to the newly executed process
|
||||||
size_t n_pass_fd;
|
*By default only FD=0,1,2 are passed
|
||||||
int32_t *pass_fd;
|
*/
|
||||||
/*
|
size_t n_pass_fd;
|
||||||
* Should pivot_root be used instead of chroot?
|
int32_t *pass_fd;
|
||||||
*Using pivot_root allows to have subnamespaces
|
/*
|
||||||
*/
|
* Should pivot_root be used instead of chroot?
|
||||||
protobuf_c_boolean pivot_root_only;
|
*Using pivot_root allows to have subnamespaces
|
||||||
/*
|
*/
|
||||||
* Setting it to true will allow to have set-uid binaries
|
protobuf_c_boolean pivot_root_only;
|
||||||
*inside the jail
|
/*
|
||||||
*/
|
* Setting it to true will allow to have set-uid binaries
|
||||||
protobuf_c_boolean disable_no_new_privs;
|
*inside the jail
|
||||||
/*
|
*/
|
||||||
* In MiB
|
protobuf_c_boolean disable_no_new_privs;
|
||||||
*/
|
/*
|
||||||
uint64_t rlimit_as;
|
* In MiB
|
||||||
/*
|
*/
|
||||||
* In MiB
|
uint64_t rlimit_as;
|
||||||
*/
|
/*
|
||||||
uint64_t rlimit_core;
|
* In MiB
|
||||||
/*
|
*/
|
||||||
* In seconds
|
uint64_t rlimit_core;
|
||||||
*/
|
/*
|
||||||
uint64_t rlimit_cpu;
|
* In seconds
|
||||||
/*
|
*/
|
||||||
* In MiB
|
uint64_t rlimit_cpu;
|
||||||
*/
|
/*
|
||||||
uint64_t rlimit_fsize;
|
* In MiB
|
||||||
uint64_t rlimit_nofile;
|
*/
|
||||||
/*
|
uint64_t rlimit_fsize;
|
||||||
* This is system-wide: tricky to use
|
uint64_t rlimit_nofile;
|
||||||
*/
|
/*
|
||||||
protobuf_c_boolean has_rlimit_nproc;
|
* This is system-wide: tricky to use
|
||||||
uint64_t rlimit_nproc;
|
*/
|
||||||
/*
|
protobuf_c_boolean has_rlimit_nproc;
|
||||||
* In MiB
|
uint64_t rlimit_nproc;
|
||||||
*/
|
/*
|
||||||
protobuf_c_boolean has_rlimit_stack;
|
* In MiB
|
||||||
uint64_t rlimit_stack;
|
*/
|
||||||
/*
|
protobuf_c_boolean has_rlimit_stack;
|
||||||
* See 'man personality' for more
|
uint64_t rlimit_stack;
|
||||||
*/
|
/*
|
||||||
protobuf_c_boolean persona_addr_compat_layout;
|
* See 'man personality' for more
|
||||||
protobuf_c_boolean persona_mmap_page_zero;
|
*/
|
||||||
protobuf_c_boolean persona_read_implies_exec;
|
protobuf_c_boolean persona_addr_compat_layout;
|
||||||
protobuf_c_boolean persona_addr_limit_3gb;
|
protobuf_c_boolean persona_mmap_page_zero;
|
||||||
protobuf_c_boolean persona_addr_no_randomize;
|
protobuf_c_boolean persona_read_implies_exec;
|
||||||
/*
|
protobuf_c_boolean persona_addr_limit_3gb;
|
||||||
* Which name-spaces should be used?
|
protobuf_c_boolean persona_addr_no_randomize;
|
||||||
*/
|
/*
|
||||||
protobuf_c_boolean clone_newnet;
|
* Which name-spaces should be used?
|
||||||
protobuf_c_boolean clone_newuser;
|
*/
|
||||||
protobuf_c_boolean clone_newns;
|
protobuf_c_boolean clone_newnet;
|
||||||
protobuf_c_boolean clone_newpid;
|
protobuf_c_boolean clone_newuser;
|
||||||
protobuf_c_boolean clone_newipc;
|
protobuf_c_boolean clone_newns;
|
||||||
protobuf_c_boolean clone_newuts;
|
protobuf_c_boolean clone_newpid;
|
||||||
/*
|
protobuf_c_boolean clone_newipc;
|
||||||
* It's only supported in newer kernels, hence disabled by default
|
protobuf_c_boolean clone_newuts;
|
||||||
*/
|
/*
|
||||||
protobuf_c_boolean clone_newcgroup;
|
* It's only supported in newer kernels, hence disabled by default
|
||||||
/*
|
*/
|
||||||
* Mappings for UIDs and GIDs. See the description for 'msg IdMap'
|
protobuf_c_boolean clone_newcgroup;
|
||||||
*for more
|
/*
|
||||||
*/
|
* Mappings for UIDs and GIDs. See the description for 'msg IdMap'
|
||||||
size_t n_uidmap;
|
*for more
|
||||||
Nsjail__IdMap **uidmap;
|
*/
|
||||||
size_t n_gidmap;
|
size_t n_uidmap;
|
||||||
Nsjail__IdMap **gidmap;
|
Nsjail__IdMap **uidmap;
|
||||||
/*
|
size_t n_gidmap;
|
||||||
* Should /proc be mounted (R/O)? This can also be added in the 'mount'
|
Nsjail__IdMap **gidmap;
|
||||||
*section below
|
/*
|
||||||
*/
|
* Should /proc be mounted (R/O)? This can also be added in the 'mount'
|
||||||
protobuf_c_boolean mount_proc;
|
*section below
|
||||||
/*
|
*/
|
||||||
* Mount points inside the jail. See the description for 'msg MountPt'
|
protobuf_c_boolean mount_proc;
|
||||||
*for more
|
/*
|
||||||
*/
|
* Mount points inside the jail. See the description for 'msg MountPt'
|
||||||
size_t n_mount;
|
*for more
|
||||||
Nsjail__MountPt **mount;
|
*/
|
||||||
/*
|
size_t n_mount;
|
||||||
* Kafel seccomp-bpf policy file or a string:
|
Nsjail__MountPt **mount;
|
||||||
*Homepage of the project: https://github.com/google/kafel
|
/*
|
||||||
*/
|
* Kafel seccomp-bpf policy file or a string:
|
||||||
char *seccomp_policy_file;
|
*Homepage of the project: https://github.com/google/kafel
|
||||||
char *seccomp_string;
|
*/
|
||||||
/*
|
char *seccomp_policy_file;
|
||||||
* If > 0, maximum cumulative size of RAM used inside any jail
|
char *seccomp_string;
|
||||||
*/
|
/*
|
||||||
/*
|
* If > 0, maximum cumulative size of RAM used inside any jail
|
||||||
* In MiB
|
*/
|
||||||
*/
|
/*
|
||||||
uint64_t cgroup_mem_max;
|
* In MiB
|
||||||
/*
|
*/
|
||||||
* Mount point for cgroups-memory in your system
|
uint64_t cgroup_mem_max;
|
||||||
*/
|
/*
|
||||||
char *cgroup_mem_mount;
|
* Mount point for cgroups-memory in your system
|
||||||
/*
|
*/
|
||||||
* Writeable directory (for the nsjail user) under cgroup_mem_mount
|
char *cgroup_mem_mount;
|
||||||
*/
|
/*
|
||||||
char *cgroup_mem_parent;
|
* Writeable directory (for the nsjail user) under cgroup_mem_mount
|
||||||
/*
|
*/
|
||||||
* If > 0, maximum number of PIDs (threads/processes) inside jail
|
char *cgroup_mem_parent;
|
||||||
*/
|
/*
|
||||||
uint64_t cgroup_pids_max;
|
* If > 0, maximum number of PIDs (threads/processes) inside jail
|
||||||
/*
|
*/
|
||||||
* Mount point for cgroups-pids in your system
|
uint64_t cgroup_pids_max;
|
||||||
*/
|
/*
|
||||||
char *cgroup_pids_mount;
|
* Mount point for cgroups-pids in your system
|
||||||
/*
|
*/
|
||||||
* Writeable directory (for the nsjail user) under cgroup_pids_mount
|
char *cgroup_pids_mount;
|
||||||
*/
|
/*
|
||||||
char *cgroup_pids_parent;
|
* Writeable directory (for the nsjail user) under cgroup_pids_mount
|
||||||
/*
|
*/
|
||||||
* Should the 'lo' interface be brought up (active) inside this jail?
|
char *cgroup_pids_parent;
|
||||||
*/
|
/*
|
||||||
protobuf_c_boolean iface_no_lo;
|
* Should the 'lo' interface be brought up (active) inside this jail?
|
||||||
/*
|
*/
|
||||||
* Parameters for the cloned MACVLAN interface inside jail
|
protobuf_c_boolean iface_no_lo;
|
||||||
*/
|
/*
|
||||||
/*
|
* Parameters for the cloned MACVLAN interface inside jail
|
||||||
* Interface to be cloned, eg 'eth0'
|
*/
|
||||||
*/
|
/*
|
||||||
char *macvlan_iface;
|
* Interface to be cloned, eg 'eth0'
|
||||||
char *macvlan_vs_ip;
|
*/
|
||||||
char *macvlan_vs_nm;
|
char *macvlan_iface;
|
||||||
char *macvlan_vs_gw;
|
char *macvlan_vs_ip;
|
||||||
/*
|
char *macvlan_vs_nm;
|
||||||
* Binary path (with arguments) to be executed. If not specified here, it
|
char *macvlan_vs_gw;
|
||||||
*can be specified with cmd-line as "-- /path/to/command arg1 arg2"
|
/*
|
||||||
*/
|
* Binary path (with arguments) to be executed. If not specified here, it
|
||||||
Nsjail__Exe *exec_bin;
|
*can be specified with cmd-line as "-- /path/to/command arg1 arg2"
|
||||||
|
*/
|
||||||
|
Nsjail__Exe *exec_bin;
|
||||||
};
|
};
|
||||||
extern char nsjail__ns_jail_config__name__default_value[];
|
extern char nsjail__ns_jail_config__name__default_value[];
|
||||||
extern char nsjail__ns_jail_config__description__default_value[];
|
extern char nsjail__ns_jail_config__description__default_value[];
|
||||||
@ -377,60 +390,111 @@ extern char nsjail__ns_jail_config__macvlan_vs_gw__default_value[];
|
|||||||
{ PROTOBUF_C_MESSAGE_INIT (&nsjail__ns_jail_config__descriptor) \
|
{ PROTOBUF_C_MESSAGE_INIT (&nsjail__ns_jail_config__descriptor) \
|
||||||
, nsjail__ns_jail_config__name__default_value, nsjail__ns_jail_config__description__default_value, NSJAIL__MODE__ONCE, NULL, 0, nsjail__ns_jail_config__hostname__default_value, nsjail__ns_jail_config__cwd__default_value, 0u, nsjail__ns_jail_config__bindhost__default_value, 0u, 600u, 0, NULL, 0,0, 0, 0,NULL, 0, 0, 0,NULL, 0, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0,NULL, 0,NULL, 0, 0,NULL, NULL, NULL, 0ull, nsjail__ns_jail_config__cgroup_mem_mount__default_value, nsjail__ns_jail_config__cgroup_mem_parent__default_value, 0ull, nsjail__ns_jail_config__cgroup_pids_mount__default_value, nsjail__ns_jail_config__cgroup_pids_parent__default_value, 0, NULL, nsjail__ns_jail_config__macvlan_vs_ip__default_value, nsjail__ns_jail_config__macvlan_vs_nm__default_value, nsjail__ns_jail_config__macvlan_vs_gw__default_value, NULL }
|
, nsjail__ns_jail_config__name__default_value, nsjail__ns_jail_config__description__default_value, NSJAIL__MODE__ONCE, NULL, 0, nsjail__ns_jail_config__hostname__default_value, nsjail__ns_jail_config__cwd__default_value, 0u, nsjail__ns_jail_config__bindhost__default_value, 0u, 600u, 0, NULL, 0,0, 0, 0,NULL, 0, 0, 0,NULL, 0, 0, 512ull, 0ull, 600ull, 1ull, 32ull, 0,0, 0,0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0,NULL, 0,NULL, 0, 0,NULL, NULL, NULL, 0ull, nsjail__ns_jail_config__cgroup_mem_mount__default_value, nsjail__ns_jail_config__cgroup_mem_parent__default_value, 0ull, nsjail__ns_jail_config__cgroup_pids_mount__default_value, nsjail__ns_jail_config__cgroup_pids_parent__default_value, 0, NULL, nsjail__ns_jail_config__macvlan_vs_ip__default_value, nsjail__ns_jail_config__macvlan_vs_nm__default_value, nsjail__ns_jail_config__macvlan_vs_gw__default_value, NULL }
|
||||||
|
|
||||||
|
|
||||||
/* Nsjail__IdMap methods */
|
/* Nsjail__IdMap methods */
|
||||||
void nsjail__id_map__init(Nsjail__IdMap * message);
|
void nsjail__id_map__init
|
||||||
size_t nsjail__id_map__get_packed_size(const Nsjail__IdMap * message);
|
(Nsjail__IdMap *message);
|
||||||
size_t nsjail__id_map__pack(const Nsjail__IdMap * message, uint8_t * out);
|
size_t nsjail__id_map__get_packed_size
|
||||||
size_t nsjail__id_map__pack_to_buffer(const Nsjail__IdMap * message, ProtobufCBuffer * buffer);
|
(const Nsjail__IdMap *message);
|
||||||
Nsjail__IdMap *nsjail__id_map__unpack
|
size_t nsjail__id_map__pack
|
||||||
(ProtobufCAllocator * allocator, size_t len, const uint8_t * data);
|
(const Nsjail__IdMap *message,
|
||||||
void nsjail__id_map__free_unpacked(Nsjail__IdMap * message, ProtobufCAllocator * allocator);
|
uint8_t *out);
|
||||||
|
size_t nsjail__id_map__pack_to_buffer
|
||||||
|
(const Nsjail__IdMap *message,
|
||||||
|
ProtobufCBuffer *buffer);
|
||||||
|
Nsjail__IdMap *
|
||||||
|
nsjail__id_map__unpack
|
||||||
|
(ProtobufCAllocator *allocator,
|
||||||
|
size_t len,
|
||||||
|
const uint8_t *data);
|
||||||
|
void nsjail__id_map__free_unpacked
|
||||||
|
(Nsjail__IdMap *message,
|
||||||
|
ProtobufCAllocator *allocator);
|
||||||
/* Nsjail__MountPt methods */
|
/* Nsjail__MountPt methods */
|
||||||
void nsjail__mount_pt__init(Nsjail__MountPt * message);
|
void nsjail__mount_pt__init
|
||||||
size_t nsjail__mount_pt__get_packed_size(const Nsjail__MountPt * message);
|
(Nsjail__MountPt *message);
|
||||||
size_t nsjail__mount_pt__pack(const Nsjail__MountPt * message, uint8_t * out);
|
size_t nsjail__mount_pt__get_packed_size
|
||||||
size_t nsjail__mount_pt__pack_to_buffer(const Nsjail__MountPt * message, ProtobufCBuffer * buffer);
|
(const Nsjail__MountPt *message);
|
||||||
Nsjail__MountPt *nsjail__mount_pt__unpack
|
size_t nsjail__mount_pt__pack
|
||||||
(ProtobufCAllocator * allocator, size_t len, const uint8_t * data);
|
(const Nsjail__MountPt *message,
|
||||||
void nsjail__mount_pt__free_unpacked(Nsjail__MountPt * message, ProtobufCAllocator * allocator);
|
uint8_t *out);
|
||||||
|
size_t nsjail__mount_pt__pack_to_buffer
|
||||||
|
(const Nsjail__MountPt *message,
|
||||||
|
ProtobufCBuffer *buffer);
|
||||||
|
Nsjail__MountPt *
|
||||||
|
nsjail__mount_pt__unpack
|
||||||
|
(ProtobufCAllocator *allocator,
|
||||||
|
size_t len,
|
||||||
|
const uint8_t *data);
|
||||||
|
void nsjail__mount_pt__free_unpacked
|
||||||
|
(Nsjail__MountPt *message,
|
||||||
|
ProtobufCAllocator *allocator);
|
||||||
/* Nsjail__Exe methods */
|
/* Nsjail__Exe methods */
|
||||||
void nsjail__exe__init(Nsjail__Exe * message);
|
void nsjail__exe__init
|
||||||
size_t nsjail__exe__get_packed_size(const Nsjail__Exe * message);
|
(Nsjail__Exe *message);
|
||||||
size_t nsjail__exe__pack(const Nsjail__Exe * message, uint8_t * out);
|
size_t nsjail__exe__get_packed_size
|
||||||
size_t nsjail__exe__pack_to_buffer(const Nsjail__Exe * message, ProtobufCBuffer * buffer);
|
(const Nsjail__Exe *message);
|
||||||
Nsjail__Exe *nsjail__exe__unpack(ProtobufCAllocator * allocator, size_t len, const uint8_t * data);
|
size_t nsjail__exe__pack
|
||||||
void nsjail__exe__free_unpacked(Nsjail__Exe * message, ProtobufCAllocator * allocator);
|
(const Nsjail__Exe *message,
|
||||||
|
uint8_t *out);
|
||||||
|
size_t nsjail__exe__pack_to_buffer
|
||||||
|
(const Nsjail__Exe *message,
|
||||||
|
ProtobufCBuffer *buffer);
|
||||||
|
Nsjail__Exe *
|
||||||
|
nsjail__exe__unpack
|
||||||
|
(ProtobufCAllocator *allocator,
|
||||||
|
size_t len,
|
||||||
|
const uint8_t *data);
|
||||||
|
void nsjail__exe__free_unpacked
|
||||||
|
(Nsjail__Exe *message,
|
||||||
|
ProtobufCAllocator *allocator);
|
||||||
/* Nsjail__NsJailConfig methods */
|
/* Nsjail__NsJailConfig methods */
|
||||||
void nsjail__ns_jail_config__init(Nsjail__NsJailConfig * message);
|
void nsjail__ns_jail_config__init
|
||||||
size_t nsjail__ns_jail_config__get_packed_size(const Nsjail__NsJailConfig * message);
|
(Nsjail__NsJailConfig *message);
|
||||||
size_t nsjail__ns_jail_config__pack(const Nsjail__NsJailConfig * message, uint8_t * out);
|
size_t nsjail__ns_jail_config__get_packed_size
|
||||||
|
(const Nsjail__NsJailConfig *message);
|
||||||
|
size_t nsjail__ns_jail_config__pack
|
||||||
|
(const Nsjail__NsJailConfig *message,
|
||||||
|
uint8_t *out);
|
||||||
size_t nsjail__ns_jail_config__pack_to_buffer
|
size_t nsjail__ns_jail_config__pack_to_buffer
|
||||||
(const Nsjail__NsJailConfig * message, ProtobufCBuffer * buffer);
|
(const Nsjail__NsJailConfig *message,
|
||||||
Nsjail__NsJailConfig *nsjail__ns_jail_config__unpack
|
ProtobufCBuffer *buffer);
|
||||||
(ProtobufCAllocator * allocator, size_t len, const uint8_t * data);
|
Nsjail__NsJailConfig *
|
||||||
void nsjail__ns_jail_config__free_unpacked
|
nsjail__ns_jail_config__unpack
|
||||||
(Nsjail__NsJailConfig * message, ProtobufCAllocator * allocator);
|
(ProtobufCAllocator *allocator,
|
||||||
|
size_t len,
|
||||||
|
const uint8_t *data);
|
||||||
|
void nsjail__ns_jail_config__free_unpacked
|
||||||
|
(Nsjail__NsJailConfig *message,
|
||||||
|
ProtobufCAllocator *allocator);
|
||||||
/* --- per-message closures --- */
|
/* --- per-message closures --- */
|
||||||
|
|
||||||
typedef void (*Nsjail__IdMap_Closure)
|
typedef void (*Nsjail__IdMap_Closure)
|
||||||
(const Nsjail__IdMap * message, void *closure_data);
|
(const Nsjail__IdMap *message,
|
||||||
|
void *closure_data);
|
||||||
typedef void (*Nsjail__MountPt_Closure)
|
typedef void (*Nsjail__MountPt_Closure)
|
||||||
(const Nsjail__MountPt * message, void *closure_data);
|
(const Nsjail__MountPt *message,
|
||||||
|
void *closure_data);
|
||||||
typedef void (*Nsjail__Exe_Closure)
|
typedef void (*Nsjail__Exe_Closure)
|
||||||
(const Nsjail__Exe * message, void *closure_data);
|
(const Nsjail__Exe *message,
|
||||||
|
void *closure_data);
|
||||||
typedef void (*Nsjail__NsJailConfig_Closure)
|
typedef void (*Nsjail__NsJailConfig_Closure)
|
||||||
(const Nsjail__NsJailConfig * message, void *closure_data);
|
(const Nsjail__NsJailConfig *message,
|
||||||
|
void *closure_data);
|
||||||
|
|
||||||
/* --- services --- */
|
/* --- services --- */
|
||||||
|
|
||||||
|
|
||||||
/* --- descriptors --- */
|
/* --- descriptors --- */
|
||||||
|
|
||||||
extern const ProtobufCEnumDescriptor nsjail__mode__descriptor;
|
extern const ProtobufCEnumDescriptor nsjail__mode__descriptor;
|
||||||
extern const ProtobufCEnumDescriptor nsjail__log_level__descriptor;
|
extern const ProtobufCEnumDescriptor nsjail__log_level__descriptor;
|
||||||
extern const ProtobufCMessageDescriptor nsjail__id_map__descriptor;
|
extern const ProtobufCMessageDescriptor nsjail__id_map__descriptor;
|
||||||
extern const ProtobufCMessageDescriptor nsjail__mount_pt__descriptor;
|
extern const ProtobufCMessageDescriptor nsjail__mount_pt__descriptor;
|
||||||
extern const ProtobufCMessageDescriptor nsjail__exe__descriptor;
|
extern const ProtobufCMessageDescriptor nsjail__exe__descriptor;
|
||||||
extern const ProtobufCMessageDescriptor nsjail__ns_jail_config__descriptor;
|
extern const ProtobufCMessageDescriptor nsjail__ns_jail_config__descriptor;
|
||||||
|
|
||||||
PROTOBUF_C__END_DECLS
|
PROTOBUF_C__END_DECLS
|
||||||
#endif /* PROTOBUF_C_config_2eproto__INCLUDED */
|
|
||||||
|
|
||||||
|
#endif /* PROTOBUF_C_config_2eproto__INCLUDED */
|
||||||
|
@ -42,8 +42,8 @@ message MountPt
|
|||||||
required string options = 6 [ default = "" ];
|
required string options = 6 [ default = "" ];
|
||||||
/* Is it 'mount --bind src dst' type of mount */
|
/* Is it 'mount --bind src dst' type of mount */
|
||||||
required bool is_bind = 7 [ default = false ];
|
required bool is_bind = 7 [ default = false ];
|
||||||
/* It it RO mount */
|
/* It it R/W mount */
|
||||||
required bool is_ro = 8 [ default = false ];
|
required bool rw = 8 [ default = false ];
|
||||||
/* Is it directory? If not specified an internal
|
/* Is it directory? If not specified an internal
|
||||||
heuristics will be used to determine that */
|
heuristics will be used to determine that */
|
||||||
optional bool is_dir = 9;
|
optional bool is_dir = 9;
|
||||||
|
@ -70,35 +70,35 @@ mount {
|
|||||||
src: "/lib"
|
src: "/lib"
|
||||||
dst: "/lib"
|
dst: "/lib"
|
||||||
is_bind: true
|
is_bind: true
|
||||||
is_ro: true
|
rw: false
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
src: "/bin"
|
src: "/bin"
|
||||||
dst: "/bin"
|
dst: "/bin"
|
||||||
is_bind: true
|
is_bind: true
|
||||||
is_ro: true
|
rw: false
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
src: "/sbin"
|
src: "/sbin"
|
||||||
dst: "/sbin"
|
dst: "/sbin"
|
||||||
is_bind: true
|
is_bind: true
|
||||||
is_ro: true
|
rw: false
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
src: "/usr"
|
src: "/usr"
|
||||||
dst: "/usr"
|
dst: "/usr"
|
||||||
is_bind: true
|
is_bind: true
|
||||||
is_ro: true
|
rw: false
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
src: "/lib64"
|
src: "/lib64"
|
||||||
dst: "/lib64"
|
dst: "/lib64"
|
||||||
is_bind: true
|
is_bind: true
|
||||||
is_ro: true
|
rw: false
|
||||||
mandatory: false
|
mandatory: false
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -106,14 +106,14 @@ mount {
|
|||||||
src: "/lib32"
|
src: "/lib32"
|
||||||
dst: "/lib32"
|
dst: "/lib32"
|
||||||
is_bind: true
|
is_bind: true
|
||||||
is_ro: true
|
rw: false
|
||||||
mandatory: false
|
mandatory: false
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
dst: "/tmp"
|
dst: "/tmp"
|
||||||
fstype: "tmpfs"
|
fstype: "tmpfs"
|
||||||
is_ro: false
|
rw: true
|
||||||
is_bind: false
|
is_bind: false
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -121,21 +121,21 @@ mount {
|
|||||||
dst: "/dev"
|
dst: "/dev"
|
||||||
fstype: "tmpfs"
|
fstype: "tmpfs"
|
||||||
options: "size=8388608"
|
options: "size=8388608"
|
||||||
is_ro: false
|
rw: true
|
||||||
is_bind: false
|
is_bind: false
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
src: "/dev/null"
|
src: "/dev/null"
|
||||||
dst: "/dev/null"
|
dst: "/dev/null"
|
||||||
is_ro: false
|
rw: true
|
||||||
is_bind: true
|
is_bind: true
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
dst: "/proc"
|
dst: "/proc"
|
||||||
fstype: "proc"
|
fstype: "proc"
|
||||||
is_ro: true
|
rw: false
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
|
@ -83,7 +83,7 @@ mount {
|
|||||||
src: "/dev/urandom"
|
src: "/dev/urandom"
|
||||||
dst: "/dev/urandom"
|
dst: "/dev/urandom"
|
||||||
is_bind: true
|
is_bind: true
|
||||||
is_ro: false
|
rw: true
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
@ -103,21 +103,21 @@ mount {
|
|||||||
mount {
|
mount {
|
||||||
dst: "/tmp"
|
dst: "/tmp"
|
||||||
fstype: "tmpfs"
|
fstype: "tmpfs"
|
||||||
is_ro: false
|
rw: true
|
||||||
is_bind: false
|
is_bind: false
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
dst: "/user"
|
dst: "/user"
|
||||||
fstype: "tmpfs"
|
fstype: "tmpfs"
|
||||||
is_ro: false
|
rw: true
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
prefix_src_env: "HOME"
|
prefix_src_env: "HOME"
|
||||||
src: "/Documents"
|
src: "/Documents"
|
||||||
dst: "/user/Documents"
|
dst: "/user/Documents"
|
||||||
is_ro: false
|
rw: true
|
||||||
is_bind: true
|
is_bind: true
|
||||||
mandatory: false
|
mandatory: false
|
||||||
}
|
}
|
||||||
@ -127,20 +127,19 @@ mount {
|
|||||||
src: "/.mozilla"
|
src: "/.mozilla"
|
||||||
dst: "/user/.mozilla"
|
dst: "/user/.mozilla"
|
||||||
is_bind: true
|
is_bind: true
|
||||||
is_ro: false
|
rw: true
|
||||||
mandatory: false
|
mandatory: false
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
dst: "/user/.cache"
|
dst: "/user/.cache"
|
||||||
fstype: "tmpfs"
|
fstype: "tmpfs"
|
||||||
is_ro: false
|
rw: true
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
src: "/tmp/.X11-unix/X0"
|
src: "/tmp/.X11-unix/X0"
|
||||||
dst: "/tmp/.X11-unix/X0"
|
dst: "/tmp/.X11-unix/X0"
|
||||||
is_ro: false
|
|
||||||
is_bind: true
|
is_bind: true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -64,13 +64,13 @@ mount {
|
|||||||
mount {
|
mount {
|
||||||
dst: "/tmp"
|
dst: "/tmp"
|
||||||
fstype: "tmpfs"
|
fstype: "tmpfs"
|
||||||
is_ro: false
|
rw: true
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
dst: "/user"
|
dst: "/user"
|
||||||
fstype: "tmpfs"
|
fstype: "tmpfs"
|
||||||
is_ro: false
|
rw: true
|
||||||
}
|
}
|
||||||
|
|
||||||
mount {
|
mount {
|
||||||
@ -83,7 +83,6 @@ mount {
|
|||||||
mount {
|
mount {
|
||||||
src: "/tmp/.X11-unix/X0"
|
src: "/tmp/.X11-unix/X0"
|
||||||
dst: "/tmp/.X11-unix/X0"
|
dst: "/tmp/.X11-unix/X0"
|
||||||
is_ro: false
|
|
||||||
is_bind: true
|
is_bind: true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user